WO2008070549A3 - Filtering and policing for defending against denial of service attacks a network - Google Patents
Filtering and policing for defending against denial of service attacks a network Download PDFInfo
- Publication number
- WO2008070549A3 WO2008070549A3 PCT/US2007/086065 US2007086065W WO2008070549A3 WO 2008070549 A3 WO2008070549 A3 WO 2008070549A3 US 2007086065 W US2007086065 W US 2007086065W WO 2008070549 A3 WO2008070549 A3 WO 2008070549A3
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data packets
- filtering
- criterion
- transmitted
- output module
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/141—Denial of service attacks against endpoints in a network
Abstract
Described are computer-based methods and apparatuses, including computer program products, for filtering and policing for defending against denial of service attacks on a network. A data packet is filtered by a multi-tiered filtering and transmission system. Data packets matching the first tier filter are discarded. Data packets matching the second tier filter are transmitted to an output module based on a criterion. Data packets in the third tier filter are hashed into bins and data packets matching an entry in the bin are transmitted to the output module based on a criterion for the bin. Data packets in the fourth tier transmission system are transmitted to the output module based on a criterion. Data packets that do not meet the criterion for transmission to the output module are transmitted to an attack identification module which analyzes the data packets to identify attacks.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2009539507A JP2011503912A (en) | 2006-12-01 | 2007-11-30 | Information screening and monitoring restrictions for defense against network denial of service attacks |
EP07864977A EP2090061A2 (en) | 2006-12-01 | 2007-11-30 | Filtering and policing for defending against denial of service attacks a network |
CA002671451A CA2671451A1 (en) | 2006-12-01 | 2007-11-30 | Filtering and policing for defending against denial of service attacks on a network |
Applications Claiming Priority (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/565,944 US7940657B2 (en) | 2006-12-01 | 2006-12-01 | Identifying attackers on a network |
US11/565,940 | 2006-12-01 | ||
US11/565,940 US7672336B2 (en) | 2006-12-01 | 2006-12-01 | Filtering and policing for defending against denial of service attacks on a network |
US11/565,942 US7804774B2 (en) | 2006-12-01 | 2006-12-01 | Scalable filtering and policing mechanism for protecting user traffic in a network |
US11/565,944 | 2006-12-01 | ||
US11/565,942 | 2006-12-01 |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2008070549A2 WO2008070549A2 (en) | 2008-06-12 |
WO2008070549A3 true WO2008070549A3 (en) | 2009-02-12 |
Family
ID=39493669
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2007/086065 WO2008070549A2 (en) | 2006-12-01 | 2007-11-30 | Filtering and policing for defending against denial of service attacks a network |
Country Status (4)
Country | Link |
---|---|
EP (1) | EP2090061A2 (en) |
JP (1) | JP2011503912A (en) |
CA (1) | CA2671451A1 (en) |
WO (1) | WO2008070549A2 (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8339959B1 (en) | 2008-05-20 | 2012-12-25 | Juniper Networks, Inc. | Streamlined packet forwarding using dynamic filters for routing and security in a shared forwarding plane |
US8955107B2 (en) * | 2008-09-12 | 2015-02-10 | Juniper Networks, Inc. | Hierarchical application of security services within a computer network |
US8040808B1 (en) | 2008-10-20 | 2011-10-18 | Juniper Networks, Inc. | Service aware path selection with a network acceleration device |
FR2949934B1 (en) * | 2009-09-09 | 2011-10-28 | Qosmos | MONITORING A COMMUNICATION SESSION COMPRISING SEVERAL FLOWS ON A DATA NETWORK |
US9251535B1 (en) | 2012-01-05 | 2016-02-02 | Juniper Networks, Inc. | Offload of data transfer statistics from a mobile access gateway |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20010007133A1 (en) * | 1998-10-28 | 2001-07-05 | Mark Moriconi | System and method for maintaining security in a distributed computer network |
EP1367798A1 (en) * | 2002-05-29 | 2003-12-03 | Alcatel Canada Inc. | High-speed adaptative structure of elementary firewall modules |
US20040054925A1 (en) * | 2002-09-13 | 2004-03-18 | Cyber Operations, Llc | System and method for detecting and countering a network attack |
US6826698B1 (en) * | 2000-09-15 | 2004-11-30 | Networks Associates Technology, Inc. | System, method and computer program product for rule based network security policies |
US20050240993A1 (en) * | 2004-04-22 | 2005-10-27 | Treadwell William S | Methodology, system and computer readable medium for streams-based packet filtering |
WO2006037809A1 (en) * | 2004-10-08 | 2006-04-13 | International Business Machines Corporation | Offline analysis of packets |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5473607A (en) * | 1993-08-09 | 1995-12-05 | Grand Junction Networks, Inc. | Packet filtering for data networks |
CN1312892C (en) * | 1999-06-30 | 2007-04-25 | 倾向探测公司 | Method and apparatus for monitoring traffic in network |
-
2007
- 2007-11-30 CA CA002671451A patent/CA2671451A1/en not_active Abandoned
- 2007-11-30 JP JP2009539507A patent/JP2011503912A/en active Pending
- 2007-11-30 WO PCT/US2007/086065 patent/WO2008070549A2/en active Application Filing
- 2007-11-30 EP EP07864977A patent/EP2090061A2/en not_active Withdrawn
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20010007133A1 (en) * | 1998-10-28 | 2001-07-05 | Mark Moriconi | System and method for maintaining security in a distributed computer network |
US6826698B1 (en) * | 2000-09-15 | 2004-11-30 | Networks Associates Technology, Inc. | System, method and computer program product for rule based network security policies |
EP1367798A1 (en) * | 2002-05-29 | 2003-12-03 | Alcatel Canada Inc. | High-speed adaptative structure of elementary firewall modules |
US20040054925A1 (en) * | 2002-09-13 | 2004-03-18 | Cyber Operations, Llc | System and method for detecting and countering a network attack |
US20050240993A1 (en) * | 2004-04-22 | 2005-10-27 | Treadwell William S | Methodology, system and computer readable medium for streams-based packet filtering |
WO2006037809A1 (en) * | 2004-10-08 | 2006-04-13 | International Business Machines Corporation | Offline analysis of packets |
Also Published As
Publication number | Publication date |
---|---|
EP2090061A2 (en) | 2009-08-19 |
JP2011503912A (en) | 2011-01-27 |
WO2008070549A2 (en) | 2008-06-12 |
CA2671451A1 (en) | 2008-06-12 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108282497B (en) | DDoS attack detection method for SDN control plane | |
WO2008070549A3 (en) | Filtering and policing for defending against denial of service attacks a network | |
EP2241072B1 (en) | Method of detecting anomalies in a communication system using numerical packet features | |
WO2007103864A3 (en) | BEHAVIOR-BASED TRAFFIC DIFFERENTIATION (BTD) FOR DEFENDING AGAINST DISTRIBUTED DENIAL OF SERVICE(DDoS) ATTACKS | |
CN105791213B (en) | Policy optimization device and method | |
WO2007088424A3 (en) | Method and apparatus for monitoring malicious traffic in communication networks | |
CN101616129A (en) | The methods, devices and systems of anti-network attack flow overload protection | |
EP2570954A4 (en) | Method, device and system for preventing distributed denial of service attack in cloud system | |
WO2006107712A3 (en) | Method and apparatus for defending against zero-day worm-based attacks | |
WO2012024762A8 (en) | Method and apparatus for filtering streaming data | |
WO2005017708A3 (en) | Method and apparatus for detecting predefined signatures in packet payload using bloom filters | |
CN101547187B (en) | Network attack protection method for broadband access equipment | |
EP1484887A3 (en) | A multi-layer based method for implementing network firewalls | |
WO2014070883A3 (en) | Method and system for identifying matching packets | |
CN101640666A (en) | Device and method for controlling flow quantity facing to target network | |
WO2006105093A3 (en) | Methods, systems, and computer program products for network firewall policy optimization | |
EP4246932A3 (en) | Method for transmitting data in a multimedia transmission system | |
CN101465855B (en) | Method and system for filtrating synchronous extensive aggression | |
CN104767752A (en) | Distributed network isolating system and method | |
CN103546465A (en) | Data flow circle monitoring based LDoS (low-rate denial of service) attack detection and defense method | |
WO2003005666A3 (en) | An apparatus and method for secure, automated response to distributed denial of service attacks | |
WO2009037422A8 (en) | Queuing method | |
MX2009011403A (en) | Method and apparatus for detecting port scans with fake source address. | |
WO2011051026A3 (en) | Method and system for processing network events | |
EP2179542A4 (en) | Methods, systems, and computer readable media for collecting data from network traffic traversing high speed internet protocol (ip) communication links |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase |
Ref document number: 2009539507 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2671451 Country of ref document: CA Ref document number: 2007864977 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |